Cyberattacks and breaches continue to reach new heights. The FBI’s Internet Crime Report 2021 highlights a massive increase in cybercrime with losses amounting to nearly $7 billion. What’s even more worrisome is the fact that organizations spent worldwide about $150 billion on security solutions last year. So why are existing solutions failing to address the growing cybersecurity problem? It’s simple: current solutions do not focus enough on the human factor.
No amount of security strategy or technology can succeed if people don’t make good security decisions when it matters most.
A recent paper dubbed The Endpoint Ecosystem 2022 National Study revealed three critical issues with employees that organizations should address.
- Employees Lack Awareness of Security Risks
The pandemic made the workforce more distributed and autonomous and employers are still finding it difficult to adapt to this new style of working. A majority of employees lack security awareness — 39% of employees receive security awareness training less than once per year. A majority don’t review security policies regularly:27% of employees see security policies less than once a year. And 49% of young workers admit to finding work arounds to restrictive security policies
- Poor Password Habits Put Organizations at Risk
Password credentials are one of the most sought-after pieces of information by cyber criminals. The famous Colonial Pipeline attack that caused the company to shut down its fuel supply is believed to have happened because of a single inactive, stolen VPN password. The Endpoint Ecosystem study claims employees struggle to remember passwords and that’s why 69% are guilty of choosing passwords that are too simplistic and easy to recall. 29% of workers write their passwords in simple notes applications on their phones, while another 24% record them in personal journals. These problems can be easily addressed using readily available and often free password managers, but only 31% of employees reportedly use them.
- BYOD Is Not Securely Implemented
The pandemic reignited the need for BYOD devices. However, less than half of organizations (43%) have a secured BYOD program in place. According to the survey, almost 64% of employees are currently using personal devices at work and only a third are enabled to securely access systems, data and applications from their personal devices.
What This Report Means For Your Business
It’s high time organizations recognize the human factor involved with managing security hygiene and accept that they aren’t dealing with technology problems but with native, human vulnerabilities. We are all naturally social creatures of habit who like taking the least path of resistance. This means we are prone to taking mental shortcuts and cutting corners when making security-related decisions (to click or not to click that email link?). Phishing studies show that 30% of users are repeat victims; users that fall for a phishing scam end up falling for other ones as well. To overcome this awareness and behavior problem, organizations can invest in creating a culture of cybersecurity. This means training regularly using interactive and engaging means such as gamification and being honest about what your business will or won’t tolerate. It helps to design individual programs that deal with different levels of security maturity and competency. We also tend to be influenced by others easily. If you see a worker practicing a healthy form of skepticism, encourage it, embrace it and make it part of the culture so that others can follow suit. According to researchers and security agencies, basic cybersecurity hygiene (from a training and awareness context) is the answer to preventing a majority of cyberattacks and breaches.
Cyber Hygiene Isn’t Only About Training And Awareness
Cyber hygiene consists of three things, people, processes and technology. From a people perspective, security training and awareness is the main tool. From a process standpoint, it’s all about providing guidelines to employees on how to deal with suspicious content, informing them of their personal responsibility, liability and accountability in security incidents, best practices around phishing, password management, incident response and defense-in-depth strategies. Cyber hygiene is also about having standardized tools in place that protect and monitor the organization against known and unknown threats. This includes things like multi-factor authentication, least privilege access, antimalware and data protection technologies, regular patching and updates, firewalls, etc. Per Microsoft research, cybersecurity hygiene can protect organizations against 98% of attacks.
Better security starts by focusing on your security culture. As long as cyber hygiene is deeply rooted in culture, employees will be considered more of an asset and best line of defense rather than a liability in your overall cybersecurity posture.
About the Author
Perry Carpenter is the author of “Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors” and the host of the 8th Layer Insights podcast on The CyberWire network. He is chief evangelist and security officer for KnowBe4[NASDAQ: KNBE], the world’s largest security awareness training and simulated phishing platform.